Impact Health Solutions
Security & Trust

Built so your compliance team can say yes in a single meeting.

PHI is the most regulated data your organization touches. We treat it that way - from the BAA we send before pilot kickoff to the audit log on every record view.

HIPAA-aligned by design

We operate under the HIPAA Security Rule as a Business Associate. A BAA is executed before any PHI is exchanged, no exceptions, no pilots over email attachments.

Encryption everywhere

TLS 1.2+ in transit. AES-256 at rest. Database-level encryption on managed Postgres with key rotation handled by our cloud provider. No PHI in logs, ever.

Least-privilege access

Row-level security on every PHI table, scoped to the authenticated clinician's panel. Service-role keys live only in server runtime, never in client bundles, never in git.

US-hosted, single-tenant logical isolation

Data resides in US regions. Each partner organization is logically isolated at the database tier. We do not co-mingle PHI across hospitals or clinics.

SMART-on-FHIR, not screen-scraping

Epic and other EHR integrations use standard OAuth2 + FHIR R4. We request the minimum necessary scopes (Patient, Encounter, Condition, MedicationRequest, DocumentReference) and write back as a DocumentReference, no shadow records.

Audit logging on every PHI read

Every view, export, and write against a patient record is logged with actor, timestamp, and purpose. Logs are available to partner compliance teams on request.

What we share under NDA

Everything your security review actually asks for.

We don't ship a glossy "trust page" and call it a day. Sign an NDA and we send the real packet, the one your CISO or IT security lead needs to clear a pilot.

  • Executed BAA template (plain English, single signature)
  • Security & architecture overview (data flow, hosting, key management)
  • SMART-on-FHIR scopes & client registration details
  • Vendor security questionnaire responses (HECVAT-lite, SIG-lite)
  • Incident response plan summary & breach notification SLA
  • Sub-processor list with their compliance attestations
Honest disclosure: Impact Health Solutions is an early-stage company. We are not yet SOC 2 Type II certified, that audit is on our roadmap once we cross our first multi-site deployment. In the meantime we are happy to walk your team through every control we do have in place, and to map them to the SOC 2 trust services criteria your auditors will eventually expect.

Need the full security packet?

Tell us a little about your organization and we'll send the BAA, architecture overview, and questionnaire responses within one business day.

Request the packet